Explaining technology, software development, security, and other things. And we can't forget good BBQ.

Saturday, May 11, 2013

The now of passwords Pt 1.

Most everyone is familiar with passwords. You give a username or email address, and you enter your password. This forms the basis of virtually everything we do online. With today's technology, using passwords to protect websites and other services is nearly useless. Why is that? Why do some websites have certain restrictions, like only using certain characters, or why can't I used more than 8 characters at some places.

How passwords are stored and checked

Passwords are one of the most basic security features. A user enters a password, its received by the software processing the password (referred to as the "server" from now on.),then analyzed to see if its the expected password. Simple huh? (Note: we're ignore how the password is transfer from the user to the server.) I'll be going over how password storage and checking has evolved. This is a general overview, and will (hopefully) not be too technical. If you have questions or comments, please ask in the comment section below.

Simple password storage

In the early days of password protection, it was that simple. Password were stored, as-is, in a file or database. Anyone with access to those files or databases could read your password, and log in as you. Hackers had a field day, because all they needed was file or database access.

Encrypted passwords

Eventually, servers added encryption. When you set your password, it would be stored encrypted. Then when you entered your password, it was received and then encrypted by the server. Then the server would compare the encryption results against the already encrypted password in the database.

Hackers started doing several things here. First, they would analyze the encryption method for weaknesses. Depending on the encryption used, the length of the result encryption would change with the size of the password. So just knowing the length of the password would narrow down the possibilities. With this knowledge, they would "brute-force" the passwords, trying every combination of characters. As time went on, they started creating "rainbow tables" which are tables that contain all combinations of passwords, with the resulting encrypted value. This means that even with an encrypted password, it was relatively easy to find the password.

Hashed passwords

With encrypted passwords, the length of the encrypted password would give clues that would reduce the amount of work needed to crack the password. Servers then started to implement "hashed" passwords. Hashing uses an algorithm to come up with a single large number or represent the password. The advantage of this over encryption is that for every password, the hashed value is exactly the same length as all the other hashed passwords. Assume that the hashed value was 32 digits long. No matter if you have a password that was a single character, or 100 characters, the length of the hashed password is 32 digits.

This makes it so that the hackers do not know the length of your password by looking at it. Now they have to generate every single combination before they can crack a password.

In part 2 of this article, I'll cover multi-hashed passwords and salting.